Over 120 Million Facebook Users Exploited By NameTests Quiz App

Over 120 Million Facebook Users Exploited By NameTests Quiz App

To say Facebook has a data problem would be an understatement. While we all know of the Cambridge Analytica scandal, there’s another problem that just reared its head this month: NameTests.

What Is NameTests

Around Facebook for some time, NameTests requires users to sign into the platform like many other apps and games. From there it operates like many “quiz apps” on the site. In NameTests case, it basically told you things like “What does your name mean?” and “What X would be a good fit for you?” based on your name.

Facebook Is Deleting Latin American Policy Violators

While many were having with the app–or at minimum entertaining it–NameTests ended up exposing the data of roughly 120 million mostly American Facebook users. This massive leak was discovered by Inti De Ceukelaire, a Belgian security expert, and bug bounty hunter. As a matter of fact, it was through the company’s own Data Abuse Bounty program that he found the leak.

Ceukelaire’s Research

Using his friends’ regularly used apps as a sample pool, he came to the conclusion that the site’s many quiz apps were major leak culprits. In particular, NameTests which displayed users’ data in JavaScript. This allowed other websites to snag the information easily.

To further cement his findings, Ceukelaire also created a website which was connected to the quiz app. From there, he attempted to steal user data and was given access tokens. What he gained included friends lists, posts, and personal information that could be used for demographic purposes.

It Gets Worse

Even after a user was done with NameTests and deleted the app, it continued to share personal information because of the cookies the app needed. This meant that the only way to be rid of NameTests was to actually go in and delete them.

For reporting the leak in late April, Ceukelaire was awarded $8,000 which he requested go to charity. Of course, NameTest denied that the data collected was used maliciously by its advertising partners.

 


Starting with Kabir News in 2013, James has focused on tech, gaming, and entertainment. When not writing, he enjoys catching up on sci-fi and horror shows and comics. He can be followed on Twitter @MetalSwift.

Leave a Comment